HPE FlexNetwork MSR Router Series - Apache …h20628. FlexNetwork MSR Router Series Comware 7...

HPE FlexNetwork MSR Router Series Comware 7 Security Configuration Guide Part number: 5998-6958 Software version: CMW710-R0403L02 Document version: 6PW200-20160226

i

Copyright 2016 Hewlett Packard Enterprise Development LP

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendors standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments

Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries.

Microsoft and Windows are trademarks of the Microsoft group of companies.

Adobe and Acrobat are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX is a registered trademark of The Open Group.

i

Contents

Configuring AAA 1Overview 1

RADIUS 2HWTACACS 7LDAP 9AAA implementation on the device 12AAA for MPLS L3VPNs 14Protocols and standards 14RADIUS attributes 15

Command and hardware compatibility 18FIPS compliance 18AAA configuration considerations and task list 18Configuring AAA schemes 19

Configuring local users 20Configuring RADIUS schemes 25Configuring HWTACACS schemes 36Configuring LDAP schemes 42

Configuring AAA methods for ISP domains 46Configuration prerequisites 46Creating an ISP domain 46Configuring ISP domain attributes 47Configuring authentication methods for an ISP domain 49Configuring authorization methods for an ISP domain 51Configuring accounting methods for an ISP domain 52

Enabling the session-control feature 54Configuring the RADIUS DAE server feature 55Changing the DSCP priority for RADIUS packets 55Setting the maximum number of concurrent login users 56Configuring and applying an ITA policy 56Configuring a NAS-ID profile 57Configuring the Acct-Session-Id format 57Displaying and maintaining AAA 58AAA configuration examples 58

Authentication and authorization for SSH users by a RADIUS server 58Local authentication and authorization for SSH users 62AAA for SSH users by an HWTACACS server 63Authentication for SSH users by an LDAP server 65Authentication and authorization for SSL VPN users by an LDAP server 70AAA for PPP users by an HWTACACS server 75

Troubleshooting RADIUS 76RADIUS authentication failure 76RADIUS packet delivery failure 77RADIUS accounting error 77

Troubleshooting HWTACACS 78Troubleshooting LDAP 78

802.1X overview 79802.1X architecture 79Controlled/uncontrolled port and port authorization status 79802.1X-related protocols 80

Packet formats 80EAP over RADIUS 81

802.1X authentication initiation 82802.1X client as the initiator 82Access device as the initiator 82

802.1X authentication procedures 83Comparing EAP relay and EAP termination 84

ii

EAP relay 84EAP termination 86

Configuring 802.1X 88Access control methods 88802.1X VLAN manipulation 88

Authorization VLAN 88Guest VLAN 90Auth-Fail VLAN 91Critical VLAN 91

Using 802.1X authentication with other features 92ACL assignment 92EAD assistant 93SmartOn 93

Compatibility information 94Feature and hardware compatibility 94Command and hardware compatibility 94

Configuration prerequisites 95802.1X configuration task list 95Enabling 802.1X 95Enabling EAP relay or EAP termination 96Setting the port authorization state 96Specifying an access control method 97Setting the maximum number of concurrent 802.1X users on a port 98Setting the maximum number of authentication request attempts 98Setting the 802.1X authentication timeout timers 98Configuring the online user handshake feature 99

Configuration guidelines 99Configuration procedure 99

Configuring the authentication trigger feature 100Configuration guidelines 100Configuration procedure 100

Specifying a mandatory authentication domain on a port 100Setting the quiet timer 101Enabling the periodic online user reauthentication feature 101Configuring an 802.1X guest VLAN 102

Configuration guidelines 102Configuration procedure 102

Configuring an 802.1X Auth-Fail VLAN 102Configuration guidelines 102Configuration procedure 103

Configuring an 802.1X critical VLAN 103Configuration guidelines 103Configuration procedure 103

Specifying supported domain name delimiters 103Configuring the EAD assistant feature 104Configuring 802.1X SmartOn 105Displaying and maintaining 802.1X 106802.1X authentication configuration examples 106

Basic 802.1X authentication configuration example 106802.1X guest VLAN and authorization VLAN configuration example 108802.1X with ACL assignment configuration example 111802.1X with EAD assistant configuration example (with DHCP relay agent) 112802.1X with EAD assistant configuration example (with DHCP server) 115802.1X SmartOn configuration example 117

Troubleshooting 802.1X 119Web browser users cannot be redirected correctly 119

Configuring MAC authentication 120Overview 120

User account policies 120Authentication methods 120

iii

VLAN assignment 121ACL assignment 121Periodic MAC reauthentication 121


Configuration prerequisites 122Configuration task list 123Enabling MAC authentication 123Specifying a MAC authentication domain 123Configuring the user account format 124Configuring MAC authentication timers 124Setting the maximum number of concurrent MAC authentication users on a port 125Configuring MAC authentication delay 125Enabling MAC authentication multi-VLAN mode on a port 126Configuring the keep-online feature 126Displaying and maintaining MAC authentication 127MAC authentication configuration examples 127

Local MAC authentication configuration example 127RADIUS-based MAC authentication configuration example 129ACL assignment configuration example 131

Configuring portal authentication 134Overview 134

Extended portal functions 134Portal system components 134Interaction between portal system components 136Portal authentication modes 136Portal authentication process 137

Command and hardware compatibility 139Portal configuration task list 139Configuration prerequisites 140Configuring a portal authentication server 140Configuring a portal Web server 141Enabling portal authentication on an interface 141

Configuration restrictions and guidelines 142Configuration procedure 142

Referencing a portal Web server for an interface 142Controlling portal user access 143

Configuring a portal-free rule 143Configuring an authentication source subnet 144Configuring an authentication destination subnet 145Setting the maximum number of portal users 145Specifying a portal authentication domain 146Specifying a preauthentication domain 147Configuring a preauthentication IP address pool for portal users 148Enabling strict-checking on portal authorization information 148Enabling outgoing packets filtering on a portal-enabled interface 149

Configuring portal detection features 149Configuring online detection of portal users 149Configuring portal authentication server detection 150Configuring portal Web server detection 151Configuring portal user synchronization 152

Configuring the portal fail-permit feature 153Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server 153Enabling portal roaming 154Specifying a format for the NAS-Port-ID attribute 154Logging out portal users 155Configuring Web redirect 155Applying a NAS-ID profile to an interface 156Displaying and maintaining portal 156Portal configuration examples 157

iv

Configuring direct portal authentication 157Configuring re-DHCP portal authentication 167Configuring cross-subnet portal authentication 170Configuring extended direct portal authentication 173Configuring extended re-DHCP portal authentication 176Configuring extended cross-subnet portal authentication 180Configuring portal server detection and portal user synchronization 184Configuring cross-subnet portal authentication for MPLS L3VPNs 192Configuring direct portal authentication with a preauthentication domain 194Configuring re-DHCP portal authentication with a preauthentication domain 196

Troubleshooting portal 199No portal authentication page is pushed for users 199Cannot log out portal users on the access device 199Cannot log out portal users on the RADIUS server 200Users logged out by the access device still exist on the portal authentication server 200Re-DHCP portal authenticated users cannot log in successfully 200

Configuring port security 202Overview 202

Port security features 202Port security modes 202

Feature and hardware compatibility 205Configuration task list 205Enabling port security 205Setting port security's limit on the number of secure MAC addresses on a port 206Setting the port security mode 206Configuring port security features 208

Configuring NTK 208Configuring intrusion protection 208

Configuring secure MAC addresses 209Configuration prerequisites 210Configuration procedure 210

Ignoring authorization information from the server 211Enabling MAC move 211Enabling the authorization-fail-offline feature 212Applying a NAS-ID profile to port security 212Displaying and maintaining port security 213Port security configuration examples 213

autoLearn configuration example 213userLoginWithOUI configuration example 215macAddressElseUserLoginSecure configuration example 218

Troubleshooting port security 222Cannot set the port security mode 222Cannot configure secure MAC addresses 222

Configuring user profiles 223Overview 223Compatibility information 223

Feature and hardware compatibility 223Command and hardware compatibility 223

User profile configuration task list 223Configuration restrictions and guidelines 224Configuring a user profile 224Displaying and maintaining user profiles 224

Configuring password control 225Overview 225

Password setting 225Password updating and expiration 226User login control 227Password not displayed in any form 227Logging 227

v

FIPS compliance 228Password control configuration task list 228Enabling password control 228Setting global password control parameters 229Setting user group password control parameters 230Setting local user password control parameters 231Setting super password control parameters 231Displaying and maintaining password control 232Password control configuration example 232

Network requirements 232Configuration procedure 233Verifying the configuration 234

Managing public keys 236Overview 236FIPS compliance 236Creating a local key pair 236Distributing a local host public key 237

Exporting a host public key 238Displaying a host public key 238

Destroying a local key pair 238Configuring a peer host public key 239

Importing a peer host public key from a public key file 239Entering a peer host public key 239

Displaying and maintaining public keys 240Examples of public key management 240

Example for entering a peer host public key 240Example for importing a public key from a public key file 242

Configuring PKI 245Overview 245

PKI terminology 245PKI architecture 246PKI operation 246PKI applications 247Support for MPLS L3VPN 247

FIPS compliance 248PKI configuration task list 248Configuring a PKI entity 248Configuring a PKI domain 249Requesting a certificate 251

Configuration guidelines 251Configuring automatic certificate request 252Manually requesting a certificate 252

Aborting a certificate request 253Obtaining certificates 253

Configuration prerequisites 253Configuration guidelines 254Configuration procedure 254

Verifying PKI certificates 254Verifying certificates with CRL checking 254Verifying certificates without CRL checking 255

Specifying the storage path for the certificates and CRLs 256Exporting certificates 256Removing a certificate 257Configuring a certificate-based access control policy 257Displaying and maintaining PKI 258PKI configuration examples 259

Requesting a certificate from an RSA Keon CA server 259Requesting a certificate from a Windows Server 2003 CA server 261Requesting a certificate from an OpenCA server 265Requesting a certificate from an RSA Keon CA server in an NAT-PT network 268

vi

IKE negotiation with RSA digital signature from a Windows Server 2003 CA server 271Certificate-based access control policy configuration example 274Certificate import and export configuration example 275

Troubleshooting PKI configuration 281Failed to obtain the CA certificate 281Failed to obtain local certificates 281Failed to request local certificates 282Failed to obtain CRLs 283Failed to import the CA certificate 283Failed to import a local certificate 284Failed to export certificates 284Failed to set the storage path 285

Configuring IPsec 286Overview 286

Security protocols and encapsulation modes 286Security association 288Authentication and encryption 288IPsec implementation 289IPsec RRI 290Protocols and standards 291

FIPS compliance 291Security strength 291IPsec tunnel establishment 291Implementing ACL-based IPsec 292

Configuring an ACL 292Configuring an IPsec transform set 295Configuring a manual IPsec policy 297Configuring an IKE-based IPsec policy 299Applying an IPsec policy to an interface 303Enabling ACL checking for de-encapsulated packets 304Configuring IPsec anti-replay 305Configuring IPsec anti-replay redundancy 305Binding a source interface to an IPsec policy 306Enabling QoS pre-classify 307Enabling logging of IPsec packets 307Configuring the DF bit of IPsec packets 307Configuring IPsec RRI 308

Configuring IPsec for IPv6 routing protocols 309Configuration task list 309Configuring a manual IPsec profile 309

Configuring IPsec for tunnels 311Configuration task list 311Configuring an IKE-based IPsec profile 311Applying an IKE-based IPsec profile to a tunnel interface 312

Configuring SNMP notifications for IPsec 312Displaying and maintaining IPsec 313IPsec configuration examples 314

Configuring a manual mode IPsec tunnel for IPv4 packets 314Configuring an IKE-based IPsec tunnel for IPv4 packets 317Configuring an IKE-based IPsec tunnel for IPv6 packets 320Configuring IPsec for RIPng 324Configuring IPsec RRI 327

Configuring IKE 331Overview 331

IKE negotiation process 331IKE security mechanism 332Protocols and standards 333

FIPS compliance 333IKE configuration prerequisites 333IKE configuration task list 333

vii

Configuring an IKE profile 334Configuring an IKE proposal 336Configuring an IKE keychain 337Configuring the global identity information 338Configuring the IKE keepalive function 339Configuring the IKE NAT keepalive function 339Configuring IKE DPD 339Enabling invalid SPI recovery 340Setting the maximum number of IKE SAs 341Configuring SNMP notifications for IKE 341Displaying and maintaining IKE 342IKE configuration examples 342

Main mode IKE with pre-shared key authentication configuration example 342Aggressive mode with RSA signature authentication configuration example 346Aggressive mode with NAT traversal configuration example 353

Troubleshooting IKE 357IKE negotiation failed because no matching IKE proposals were found 357IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly 358IPsec SA negotiation failed because no matching IPsec transform sets were found 358IPsec SA negotiation failed due to invalid identity information 359

Configuring IKEv2 362Overview 362

IKEv2 negotiation process 362New features in IKEv2 363Protocols and standards 363

IKEv2 configuration task list 363Configuring an IKEv2 profile 364Configuring an IKEv2 policy 367Configuring an IKEv2 proposal 368Configuring an IKEv2 keychain 369Configure global IKEv2 parameters 370

Enabling the cookie challenging feature 370Configuring the IKEv2 DPD feature 370Configuring the IKEv2 NAT keepalive feature 371Configuring IKEv2 address pools 371

Displaying and maintaining IKEv2 371IKEv2 configuration examples 372

IKEv2 with pre-shared key authentication configuration example 372IKEv2 with RSA signature authentication configuration example 376IKEv2 with NAT traversal configuration example 384

Troubleshooting IKEv2 389IKEv2 negotiation failed because no matching IKEv2 proposals were found 389IPsec SA negotiation failed because no matching IPsec transform sets were found 389IPsec tunnel establishment failed 390

Configuring SSH 391Overview 391

How SSH works 391SSH authentication methods 392

FIPS compliance 393Configuring the device as an SSH server 393

SSH server configuration task list 393Generating local DSA or RSA key pairs 394Enabling the Stelnet server 395Enabling the SFTP server 395Enabling the SCP server 395Enabling NETCONF over SSH 396Configuring the user lines for SSH login 396Configuring a client's host public key 396Configuring an SSH user 397Configuring the SSH management parameters 399

viii

Configuring the device as an Stelnet client 400Stelnet client configuration task list 400Generating local DSA or RSA key pairs 400Specifying the source IP address for SSH packets 400Establishing a connection to an Stelnet server 401

Configuring the device as an SFTP client 403SFTP client configuration task list 403Generating local DSA or RSA key pairs 403Specifying the source IP address for SFTP packets 403Establishing a connection to an SFTP server 404Working with SFTP directories 405Working with SFTP files 405Displaying help information 406Terminating the connection with the SFTP server 406

Configuring the device as an SCP client 406SCP client configuration task list 406Generating local DSA or RSA key pairs 406Establishing a connection to an SCP server 407

Displaying and maintaining SSH 408Stelnet configuration examples 408

Password authentication enabled Stelnet server configuration example 409Publickey authentication enabled Stelnet server configuration example 411Password authentication enabled Stelnet client configuration example 417Publickey authentication enabled Stelnet client configuration example 420

SFTP configuration examples 422Password authentication enabled SFTP server configuration example 422Publickey authentication enabled SFTP client configuration example 424

SCP configuration example 428Network requirements 428Configuration procedure 428

NETCONF over SSH configuration example 429Network requirements 430Configuration procedure 430Verifying the configuration 431

Configuring SSL 432Overview 432

SSL security services 432SSL protocol stack 432

Feature and hardware compatibility 433FIPS compliance 433SSL configuration task list 433Configuring an SSL server policy 434Configuring an SSL client policy 435Displaying and maintaining SSL 436SSL server policy configuration example 436

Configuring ASPF 439Overview 439

ASPF basic concepts 439ASPF inspections 440

Command and hardware compatibility 442ASPF configuration task list 442Configuring an ASPF policy 442Applying an ASPF policy to an interface 443Applying an ASPF policy to a zone pair 443Displaying and maintaining ASPF 444ASPF configuration examples 445

ASPF FTP application inspection configuration example 445ASPF TCP application inspection configuration example 446ASPF H.323 application inspection configuration example 447ASPF application to a zone pair configuration example 448

ix

Configuring APR 451Overview 451

PBAR 451Group-based application recognition 451

Command and hardware compatibility 452Configuring PBAR 452Configuring application groups 453Enabling application statistics on an interface 453Displaying and maintaining APR 454APR configuration example 455


Managing sessions 456Overview 456

Session management operation 456Session management functions 456

Command and hardware compatibility 457Session management task list 457Setting the session aging time for different protocol states 457Setting the session aging time for different application layer protocols 458Specifying persistent sessions 459Enabling session statistics collection 459Configuring session logging 459Displaying and maintaining session management 460

Configuring connection limits 463Command and hardware compatibility 463Interface-based connection limit configuration task list 463Creating a connection limit policy 464Configuring the connection limit policy 464Applying the connection limit policy 465Displaying and maintaining connection limits 465Connection limit configuration example 466


Troubleshooting connection limits 468ACLs in the connection limit rules with overlapping segments 468

Configuring object groups 470Overview 470Feature and hardware compatibility 470Configuring an IPv4 address object group 470Configuring an IPv6 address object group 471Configuring a port object group 471Configuring a service object group 471Displaying and maintaining object groups 472

Configuring object policies 473Overview 473Compatibility information 473

Feature and hardware compatibility 473Command and hardware compatibility 473

Object policy rules 473Rule numbering 473Rule match order 474Rule description 474

Object policy configuration task list 474Configuration prerequisites 474

x

Creating object policies 474Creating an IPv4 object policy 474Creating an IPv6 object policy 475

Configuring object policy rules 475Configuring an IPv4 object policy rule 475Configuring an IPv6 object policy rule 476

Applying object policies to zone pairs 476Changing the rule match order 477Enabling rule matching acceleration 477Displaying and maintaining object policies 477Object policy configuration example 478


Configuring attack detection and prevention 481Overview 481Command and hardware compatibility 481Attacks that the device can prevent 481

Single-packet attacks 481Scanning attacks 483Flood attacks 483TCP fragment attacks 484

Blacklist feature 484Client verification 485

TCP client verification 485DNS client verification 487HTTP client verification 488

Attack detection and prevention configuration task list 489Configuring an attack defense policy 489

Creating an attack defense policy 489Configuring a single-packet attack defense policy 489Configuring a scanning attack defense policy 491Configuring a flood attack defense policy 491Configuring attack detection exemption 496Applying an attack defense policy to an interface 497Applying an attack defense policy to the device 497Disabling log aggregation for single-packet attack events 498

Configuring TCP fragment attack prevention 498Configuring TCP client verification 498Configuring DNS client verification 499Configuring HTTP client verification 500Configuring the blacklist feature 500Displaying and maintaining attack detection and prevention 501Attack detection and prevention configuration examples 506

Interface-based attack detection and prevention configuration example 506Blacklist configuration example 509TCP client verification configuration example 510DNS client verification configuration example 511HTTP client verification configuration example 512

Configuring IP source guard 514Overview 514

Static IPSG bindings 514Dynamic IPSG bindings 515


IPSG configuration task list 516Configuring the IPv4SG feature 516

Enabling IPv4SG on an interface 516Configuring a static IPv4SG binding 517

xi

Configuring the IPv6SG feature 517Enabling IPv6SG on an interface 517Configuring a static IPv6SG binding 517

Displaying and maintaining IPSG 518IPSG configuration examples 519

Static IPv4SG configuration example 519Dynamic IPv4SG using DHCP snooping configuration example 520Dynamic IPv4SG using DHCP relay configuration example 521Static IPv6SG configuration example 522Dynamic IPv6SG using DHCPv6 snooping configuration example 522

Configuring ARP attack protection 524Command and hardware compatibility 524ARP attack protection configuration task list 524Configuring unresolvable IP attack protection 525

Configuring ARP source suppression 525Enabling ARP blackhole routing 525Displaying and maintaining unresolvable IP attack protection 525Configuration example 526

Configuring source MAC-based ARP attack detection 527Configuration procedure 527Displaying and maintaining source MAC-based ARP attack detection 527Configuration example 528

Configuring ARP packet source MAC consistency check 529Configuring ARP active acknowledgement 529Configuring authorized ARP 529

Configuration procedure 530Configuration example (on a DHCP server) 530Configuration example (on a DHCP relay agent) 531

Configuring ARP detection 532Configuring user validity check 533Configuring ARP packet validity check 534Configuring ARP restricted forwarding 534Displaying and maintaining ARP detection 535User validity check and ARP packet validity check configuration example 535ARP restricted forwarding configuration example 536

Configuring ARP scanning and fixed ARP 538Configuration restrictions and guidelines 538Configuration procedure 538

Configuring ARP gateway protection 539Configuration guidelines 539Configuration procedure 539Configuration example 539

Configuring ARP filtering 540Configuration guidelines 540Configuration procedure 540Configuration example 541

Configuring uRPF 542Overview 542

uRPF check modes 542Features 542uRPF operation 543Network application 546

Command and hardware compatibility 546Configuring uRPF 546Displaying and maintaining uRPF 547uRPF configuration example 547

Configuring IPv6 uRPF 549Overview 549

IPv6 uRPF check modes 549

xii

Features 549IPv6 uRPF operation 550Network application 552

Command and hardware compatibility 552Configuring IPv6 uRPF 552Displaying and maintaining IPv6 uRPF 553IPv6 uRPF configuration example 553

Configuring crypto engines 555Overview 555Command and hardware compatibility 555Configuring hardware crypto engines 555Displaying and maintaining crypto engines 556

Configuring FIPS 557Overview 557Feature and hardware compatibility 557Configuration restrictions and guidelines 557Configuring FIPS mode 558

Entering FIPS mode 558Configuration changes in FIPS mode 559Exiting FIPS mode 560

FIPS self-tests 561Power-up self-tests 561Conditional self-tests 562Triggering self-tests 562

Displaying and maintaining FIPS 562FIPS configuration examples 562

Entering FIPS mode through automatic reboot 562Entering FIPS mode through manual reboot 563Exiting FIPS mode through automatic reboot 565Exiting FIPS mode through manual reboot 565

Configuring DPI engine 567Command and hardware compatibility 567Overview 567

DPI engine inspection rules 567DPI engine mechanism 567

DPI engine configuration task list 569Configure a DPI application profile 570Activating DPI services 570Configuring action parameter profiles 571

Configuring a block source parameter profile 571Configuring a capture parameter profile 571Configuring a logging parameter profile 572Configuring a redirect parameter profile 572Configuring an email parameter profile 572

Optimizing the DPI engine 573Disabling inspection suspension upon excessive CPU usage 574Displaying and maintaining DPI engine 574

Configuring IPS 576Overview 576

IPS signatures 576Signature actions 576IPS mechanism 577IPS signature library management 578

IPS configuration task list 579Configuring an IPS policy 579Specifying a parameter profile for an IPS signature action 580Applying an IPS policy to a DPI application profile 580Importing user-defined IPS signatures 580

xiii

Using a DPI application profile in an object policy rule 581Using a DPI application profile in an IPv4 object policy rule 581Using a DPI application profile in an IPv6 object policy rule 581

Applying object policies to zone pairs 581Managing the IPS signature library 582

Scheduling an IPS signature automatic update 582Triggering an immediate IPS signature update 583Specifying the URL for IPS signature auto update 583Performing an IPS signature manual update 583Rolling back the IPS signature library 584

Activating DPI services 584Displaying and maintaining IPS 584IPS configuration examples 585

Default IPS policy application example 585User-defined IPS policy application example 586IPS signature library manual update configuration example 588IPS signature library automatic update configuration example 590

Document conventions and icons 591Conventions 591Network topology icons 592

Support and other resources 593Accessing Hewlett Packard Enterprise Support 593Accessing updates 593

Websites 594Customer self repair 594Remote support 594Documentation feedback 594

Index 595

1

Configuring AAA Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: AuthenticationIdentifies users and verifies their validity. AuthorizationGrants different users different rights, and controls the users' access to

resources and services. For example, you can permit office users to read and print files and prevent guests from accessing files on the device.

AccountingRecords network usage details of users, including the service type, start time, and traffic. This function enables time-based and traffic-based charging and user behavior auditing.

AAA uses a client/server model. The client runs on the access device, or the network access server (NAS), which authenticates user identities and controls user access. The server maintains user information centrally. See Figure 1.

Figure 1 AAA network diagram

To access networks or resources beyond the NAS, a user sends its identity information to the NAS. The NAS transparently passes the user information to AAA servers and waits for the authentication, authorization, and accounting result. Based on the result, the NAS determines whether to permit or deny the access request.

AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most often used.

The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different servers to implement different security functions. For example, you can use the HWTACACS server for authentication and authorization, and use the RADIUS server for accounting.

You can choose the security functions provided by AAA as needed. For example, if your company wants employees to be authenticated before they access specific resources, you would deploy an authentication server. If network usage information is needed, you would also configure an accounting server.

The device performs dynamic password authentication.

Remote user NAS RADIUS server

HWTACACS server

Internet

Network

2

RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access, and has been extended to support additional access methods, such as Ethernet and ADSL.

Client/server model The RADIUS client runs on the NASs located throughout the network. It passes user information to RADIUS servers and acts on the responses to, for example, reject or accept user access requests.

The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access.

The RADIUS server operates using the following process: 1. Receives authentication, authorization, and accounting requests from RADIUS clients. 2. Performs user authentication, authorization, or accounting. 3. Returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

The RADIUS server can also act as the client of another RADIUS server to provide authentication proxy services.

The RADIUS server maintains the following databases: UsersStores user information, such as the usernames, passwords, applied protocols, and IP

addresses. ClientsStores information about RADIUS clients, such as shared keys and IP addresses. DictionaryStores RADIUS protocol attributes and their values.

Figure 2 RADIUS server databases

Information exchange security mechanism The RADIUS client and server exchange information between them with the help of shared keys, which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key, and some other information. The receiver of the packet verifies the signature and accepts the packet only when the signature is correct. This mechanism ensures the security of information exchanged between the RADIUS client and server.

The shared keys are also used to encrypt user passwords that are included in RADIUS packets.

User authentication methods The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.

3

Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS packet exchange process

RADIUS uses in the following workflow: 1. The host sends a connection request that includes the user's username and password to the

RADIUS client. 2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.

The request includes the user's password, which has been processed by the MD5 algorithm and shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds, the server sends back an Access-Accept packet that contains the user's authorization information. If the authentication fails, the server returns an Access-Reject packet.

4. The RADIUS client permits or denies the user according to the authentication result. If the result permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) packet to the RADIUS server.

5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts accounting.

6. The user accesses the network resources. 7. The host requests the RADIUS client to tear down the connection. 8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the

RADIUS server. 9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting

for the user. 10. The RADIUS client notifies the user of the termination.

RADIUS packet format RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth packet exchange between the RADIUS server and the client. These mechanisms include the timer mechanism, the retransmission mechanism, and the backup server mechanism.

4

Figure 4 RADIUS packet format

Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main

values and their meanings.

Table 1 Main values of the Code field

Code Packet type Description

1 Access-Request

From the client to the server. A packet of this type includes user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept From the server to the client. If all attribute values included in the Access-Request are acceptable, the authentication succeeds, and the server sends an Access-Accept response.

3 Access-Reject From the server to the client. If any attribute value included in the Access-Request is unacceptable, the authentication fails, and the server sends an Access-Reject response.

4 Accounting-Request

From the client to the server. A packet of this type includes user information for the server to start or stop accounting for the user. The Acct-Status-Type attribute in the packet indicates whether to start or stop accounting.

5 Accounting-Response

From the server to the client. The server sends a packet of this type to notify the client that it has received the Accounting-Request and has successfully recorded the accounting information.

The Identifier field (1 byte long) is used to match response packets with request packets and to detect duplicate request packets. The request and response packets of the same exchange process for the same purpose (such as authentication or accounting) have the same identifier.

The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered padding and are ignored by the receiver. If the length of a received packet is less than this length, the packet is dropped.

The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator.

The Attributes field (variable in length) includes authentication, authorization, and accounting information. This field can contain multiple attributes, each with the following subfields:

5

TypeType of the attribute. LengthLength of the attribute in bytes, including the Type, Length, and Value subfields. ValueValue of the attribute. Its format and content depend on the Type subfield.

Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information, see "Commonly used standard RADIUS attributes."

Table 2 Commonly used RADIUS attributes

No. Attribute No. Attribute 1 User-Name 45 Acct-Authentic

2 User-Password 46 Acct-Session-Time

3 CHAP-Password 47 Acct-Input-Packets

4 NAS-IP-Address 48 Acct-Output-Packets

5 NAS-Port 49 Acct-Terminate-Cause

6 Service-Type 50 Acct-Multi-Session-Id

7 Framed-Protocol 51 Acct-Link-Count

8 Framed-IP-Address 52 Acct-Input-Gigawords

9 Framed-IP-Netmask 53 Acct-Output-Gigawords

10 Framed-Routing 54 (unassigned)

11 Filter-ID 55 Event-Timestamp

12 Framed-MTU 56-59 (unassigned)

13 Framed-Compression 60 CHAP-Challenge

14 Login-IP-Host 61 NAS-Port-Type

15 Login-Service 62 Port-Limit

16 Login-TCP-Port 63 Login-LAT-Port

17 (unassigned) 64 Tunnel-Type

18 Reply-Message 65 Tunnel-Medium-Type

19 Callback-Number 66 Tunnel-Client-Endpoint

20 Callback-ID 67 Tunnel-Server-Endpoint

21 (unassigned) 68 Acct-Tunnel-Connection

22 Framed-Route 69 Tunnel-Password

23 Framed-IPX-Network 70 ARAP-Password

24 State 71 ARAP-Features

25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security

27 Session-Timeout 74 ARAP-Security-Data

28 Idle-Timeout 75 Password-Retry

29 Termination-Action 76 Prompt

30 Called-Station-Id 77 Connect-Info

31 Calling-Station-Id 78 Configuration-Token

6

No. Attribute No. Attribute 32 NAS-Identifier 79 EAP-Message

33 Proxy-State 80 Message-Authenticator

34 Login-LAT-Service 81 Tunnel-Private-Group-id

35 Login-LAT-Node 82 Tunnel-Assignment-id

36 Login-LAT-Group 83 Tunnel-Preference

37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response

38 Framed-AppleTalk-Network 85 Acct-Interim-Interval

39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost

40 Acct-Status-Type 87 NAS-Port-Id

41 Acct-Delay-Time 88 Framed-Pool

42 Acct-Input-Octets 89 (unassigned)

43 Acct-Output-Octets 90 Tunnel-Client-Auth-id

44 Acct-Session-Id 91 Tunnel-Server-Auth-id

Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes. The extended attributes can implement functions that the standard RADIUS protocol does not provide.

A vendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following parts: Vendor-IDID of the vendor. The most significant byte is 0. The other three bytes contains a

code compliant to RFC 1700. The vendor ID of Hewlett Packard Enterprise is 25506. Vendor-TypeType of the subattribute. Vendor-LengthLength of the subattribute. Vendor-DataContents of the subattribute.

For more information about the proprietary RADIUS subattributes of Hewlett Packard Enterprise, see "Proprietary RADIUS subattributes of Hewlett Packard Enterprise."

Figure 5 Format of attribute 26

7

HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server.

HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication and obtaining authorized rights, a user logs in to the device and performs operations. The HWTACACS server records the operations that each user performs.

Differences between HWTACACS and RADIUS HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the primary differences between HWTACACS and RADIUS.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS Uses TCP, which provides reliable network transmission. Uses UDP, which provides high transport efficiency.

Encrypts the entire packet except for the HWTACACS header.

Encrypts only the user password field in an authentication packet.

Protocol packets are complicated and authorization is independent of authentication. Authentication and authorization can be deployed on different HWTACACS servers.

Protocol packets are simple and the authorization process is combined with the authentication process.

Supports authorization of configuration commands. Access to commands depends on both the user's roles and authorization. A user can use only commands that are permitted by the user roles and authorized by the HWTACACS server.

Does not support authorization of configuration commands. Access to commands solely depends on the user's roles. For more information about user roles, see Fundamentals Configuration Guide.

Basic HWTACACS packet exchange process Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for a Telnet user.

8

Figure 6 Basic HWTACACS packet exchange process for a Telnet user

HWTACACS operates using in the following workflow: 1. A Telnet user sends an access request to the HWTACACS client. 2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it

receives the request. 3. The HWTACACS server sends back an authentication response to request the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user enters the username. 6. After receiving the username from the user, the HWTACACS client sends the server a

continue-authentication packet that includes the username. 7. The HWTACACS server sends back an authentication response to request the login password. 8. Upon receipt of the response, the HWTACACS client prompts the user for the login password. 9. The user enters the password.

Host HWTACACS client HWTACACS server

1) The user tries to log in

2) Start-authentication packet

3) Authentication response requesting the username

4) Request for username

5) The user enters the username

6) Continue-authentication packet with the username

7) Authentication response requesting the password

8) Request for password

9) The user enters the password

11) Response indicating successful authentication

12) User authorization request packet

13) Response indicating successful authorization

14) The user logs in successfully

15) Start-accounting request

16) Response indicating the start of accounting

17) The user logs off

18) Stop-accounting request

19) Stop-accounting response

10) Continue-authentication packet with the password

9

10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password.

11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication.

12. The HWTACACS client sends a user authorization request packet to the HWTACACS server. 13. If the authorization succeeds, the HWTACACS server sends back an authorization response,

indicating that the user is now authorized. 14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and

permits the user to log in. 15. The HWTACACS client sends a start-accounting request to the HWTACACS server. 16. The HWTACACS server sends back an accounting response, indicating that it has received the

start-accounting request. 17. The user logs off. 18. The HWTACACS client sends a stop-accounting request to the HWTACACS server. 19. The HWTACACS server sends back a stop-accounting response, indicating that the

stop-accounting request has been received.

LDAP The Lightweight Directory Access Protocol (LDAP) provides standard multiplatform directory service. LDAP was developed on the basis of the X.500 protocol. It improves the following functions of X.500: Read/write interactive access. Browse. Search. LDAP is suitable for storing data that does not often change. The protocol is used to store user information. For example, LDAP server software Active Directory Server is used in Microsoft Windows operating systems. The software stores the user information and user group information for user login authentication and authorization.

LDAP directory service LDAP uses directories to maintain the organization information, personnel information, and resource information. The directories are organized in a tree structure and include entries. An entry is a set of attributes with distinguished names (DNs). The attributes are used to store information such as usernames, passwords, emails, computer names, and phone numbers.

LDAP uses a client/server model, and all directory information is stored in the LDAP server. Commonly used LDAP server products include Microsoft Active Directory Server, IBM Tivoli Directory Server, and Sun ONE Directory Server.

LDAP authentication and authorization AAA can use LDAP to provide authentication and authorization services for users. LDAP defines a set of operations to implement its functions. The main operations for authentication and authorization are the bind operation and search operation. The bind operation allows an LDAP client to perform the following operations:

Establish a connection with the LDAP server. Obtain the access rights to the LDAP server. Check the validity of user information.

The search operation constructs search conditions and obtains the directory resource information of the LDAP server.

In LDAP authentication, the client completes the following tasks:

10

1. Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search.

2. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.

3. Binds with the LDAP server by using each user DN and password. If a binding is created, the user is considered legal.

In LDAP authorization, the client performs the same tasks as in LDAP authentication. When the client constructs search conditions, it obtains both authorization information and the user DN list.

Basic LDAP authentication process The following example illustrates the basic LDAP authentication process for a Telnet user.

Figure 7 Basic LDAP authentication process for a Telnet user

The following shows the basic LDAP authentication process: 1. A Telnet user initiates a connection request and sends the username and password to the

LDAP client. 2. After receiving the request, the LDAP client establishes a TCP connection with the LDAP

server. 3. To obtain the right to search, the LDAP client uses the administrator DN and password to send

an administrator bind request to the LDAP server. 4. The LDAP server processes the request. If the bind operation is successful, the LDAP server

sends an acknowledgment to the LDAP client. 5. The LDAP client sends a user DN search request with the username of the Telnet user to the

LDAP server. 6. After receiving the request, the LDAP server searches for the user DN by the base DN, search

scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found.

7. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server. The server will check whether the user password is correct.

11

8. The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the LDAP client notifies the user of the login failure and denies the user's access request.

9. The LDAP client saves the user DN that has been bound and exchanges authorization packets with the authorization server.

If LDAP authorization is used, see the authorization process shown in Figure 8. If another method is expected for authorization, the authorization process of that method

applies. 10. After successful authorization, the LDAP client notifies the user of the successful login.

Basic LDAP authorization process The following example illustrates the basic LDAP authorization process for a Telnet user.

Figure 8 Basic LDAP authorization process for a Telnet user

The following shows the basic LDAP authorization process: 1. A Telnet user initiates a connection request and sends the username and password to the

device. The device will act as the LDAP client during authorization. 2. After receiving the request, the device exchanges authentication packets with the

authentication server for the user: If LDAP authentication is used, see the authentication process shown in Figure 7. If the device (the LDAP client) uses the same LDAP server for authentication and

authorization, skip to step 6. If the device (the LDAP client) uses different LDAP servers for authentication and

authorization, skip to step 4. If another authentication method is used, the authentication process of that method applies.

The device acts as the LDAP client. Skip to step 3. 3. The LDAP client establishes a TCP connection with the LDAP authorization server. 4. To obtain the right to search, the LDAP client uses the administrator DN and password to send

an administrator bind request to the LDAP server. 5. The LDAP server processes the request. If the bind operation is successful, the LDAP server

sends an acknowledgment to the LDAP client.

12

6. The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server.

7. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search.

8. After successful authorization, the LDAP client notifies the user of the successful login.

AAA implementation on the device This section describes AAA user management and methods.

User management based on ISP domains and user access types AAA manages users based on the users' ISP domains and access types.

On a NAS, each user belongs to one ISP domain. The NAS determines the ISP domain to which a user belongs based on the username entered by the user at login.

Figure 9 Determining the ISP domain for a user by username

AAA manages users in the same ISP domain based on the users' access types. The device supports the following user access types: LANLAN users must pass 802.1X or MAC authentication to come online. LoginLogin users include SSH, Telnet, FTP, and terminal users who log in to the device.

Terminal users can access through a console, AUX, or Async port. ADVPN. X.25 PAD. PortalPortal users must pass portal authentication to access the network. PPP. IPoEIPoE users include Layer 2 and Layer 3 leased line users and Set Top Box (STB) users. WebWeb users log in to the Web interface of the device through HTTP or HTTPS. SSL VPN.

NOTE: The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies. If you configure these authentication modules, the ISP domains for users of the access types depend on the configuration of the authentication modules.

13

AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.

AAA also supports configuring a set of default methods for an ISP domain. These default methods are applied to users for whom no AAA methods are configured.

The device supports the following authentication methods: No authenticationThis method trusts all users and does not perform authentication. For

security purposes, do not use this method. Local authenticationThe NAS authenticates users by itself, based on the locally configured

user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.

Remote authenticationThe NAS works with a RADIUS, HWTACACS, or LDAP server to authenticate users. The server manages user information in a centralized manner. Remote authentication provides high capacity, reliable, and centralized authentication services for multiple NASs. You can configure backup methods to be used when the remote server is not available.

The device supports the following authorization methods: No authorizationThe NAS performs no authorization exchange. The following default

authorization information applies after users pass authentication: Non-login users can access the network. Login users obtain the default user role. For more information about the default user role

feature, see Fundamentals Configuration Guide. FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working

directory. However, the users do not have permission to access the root directory. Local authorizationThe NAS performs authorization according to the user attributes locally

configured for users. Remote authorizationThe NAS works with a RADIUS, HWTACACS, or LDAP server to

authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is included in the Access-Accept packet. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is included in the authorization response after successful authentication. You can configure backup methods to be used when the remote server is not available.

The device supports the following accounting methods: No accountingThe NAS does not perform accounting for the users. Local accountingLocal accounting is implemented on the NAS. It counts and controls the

number of concurrent users who use the same local user account, but does not provide statistics for charging.

Remote accountingThe NAS works with a RADIUS server or HWTACACS server for accounting. You can configure backup methods to be used when the remote server is not available.

In addition, the device provides the following login services to enhance device security: Command authorizationEnables the NAS to let the authorization server determine whether

a command entered by a login user is permitted. Login users can execute only commands permitted by the authorization server. For more information about command authorization, see Fundamentals Configuration Guide.

14

Command accountingWhen command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.

User role authenticationAuthenticates each user who wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.

AAA for MPLS L3VPNs You can deploy AAA across VPNs in an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated. The deployment enables forwarding of RADIUS and HWTACACS packets across MPLS VPNs. For example, as shown in Figure 10, you can deploy AAA across the VPNs. The PE at the left side of the MPLS backbone acts as a NAS. The NAS transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication. Authentication packets of private users in different VPNs do not affect each other.

Figure 10 Network diagram

This feature can also help an MCE to implement portal authentication for VPNs. For more information about MCE, see MPLS Configuration Guide. For more information about portal authentication, see "Configuring portal authentication."

Protocols and standards RFC 2865, Remote Authentication Dial In User Service (RADIUS) RFC 2866, RADIUS Accounting RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868, RADIUS Attributes for Tunnel Protocol Support RFC 2869, RADIUS Extensions RFC 5176, Dynamic Authorization Extensions to Remote Authentication Dial In User Service

(RADIUS) RFC 1492, An Access Control Protocol, Sometimes Called TACACS RFC 1777, Lightweight Directory Access Protocol RFC 2251, Lightweight Directory Access Protocol (v3)

15

RADIUS attributes Commonly used standard RADIUS attributes

No. Attribute Description 1 User-Name Name of the user to be authenticated.

2 User-Password User password for PAP authentication, only present in Access-Request packets when PAP authentication is used.

3 CHAP-Password Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used.

4 NAS-IP-Address IP address for the server to use to identify the client. Typically, a client is identified by the IP address of its access interface. This attribute is only present in Access-Request packets.

5 NAS-Port Physical port of the NAS that the user accesses.

6 Service-Type Type of service that the user has requested or type of service to be provided.

7 Framed-Protocol Encapsulation protocol for framed access.

8 Framed-IP-Address IP address assigned to the user.

11 Filter-ID Name of the filter list.

12 Framed-MTU MTU for the data link between the user and NAS. For example, this attribute can be used to define the maximum size of EAP packets allowed to be processed in 802.1X EAP authentication.

14 Login-IP-Host IP address of the NAS interface that the user accesses.

15 Login-Service Type of the service that the user uses for login.

18 Reply-Message Text to be displayed to the user, which can be used by the server to communicate information, for example, the reason of the authentication failure.

26 Vendor-Specific Vendor-specific proprietary attribute. A packet can contain one or more proprietary attributes, each of which can contain one or more subattributes.

27 Session-Timeout Maximum service duration for the user before termination of the session.

28 Idle-Timeout Maximum idle time permitted for the user before termination of the session.

31 Calling-Station-Id User identification that the NAS sends to the server. For the LAN access service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH.

32 NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.

16

No. Attribute Description

40 Acct-Status-Type

Type of the Accounting-Request packet. Possible values include: 1Start. 2Stop. 3Interim-Update. 4Reset-Charge. 7Accounting-On. (Defined in the 3rd Generation Partnership

Project.) 8Accounting-Off. (Defined in the 3rd Generation Partnership

Project.) 9 to 14Reserved for tunnel accounting. 15Reserved for failed.

45 Acct-Authentic

Authentication method used by the user. Possible values include: 1RADIUS. 2Local. 3Remote.

60 CHAP-Challenge CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication.

61 NAS-Port-Type

Type of the physical port of the NAS that is authenticating the user. Possible values include: 15Ethernet. 16Any type of ADSL. 17Cable. (With cable for cable TV.) 19WLAN-IEEE 802.11. 201VLAN. 202ATM. If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201.

79 EAP-Message Used to encapsulate EAP packets to allow RADIUS to support EAP authentication.

80 Message-Authenticator

Used for authentication and verification of authentication packets to prevent spoofing Access-Requests. This attribute is present when EAP authentication is used.

87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user.

Proprietary RADIUS subattributes of Hewlett Packard Enterprise

No. Subattribute Description 1 Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.

2 Input-Average-Rate Average rate in the direction from the user to the NAS, in bps.

3 Input-Basic-Rate Basic rate in the direction from the user to the NAS, in bps.

4 Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps.

5 Output-Average-Rate Average rate in the direction from the NAS to the user, in bps.

6 Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps.

15 Remanent_Volume Total amount of data available for the connection, in different units for different server types.

17

No. Subattribute Description

20 Command

Operation for the session, used for session control. Possible values include: 1Trigger-Request. 2Terminate-Request. 3SetPolicy. 4Result. 5PortalClear.

24 Control_Identifier

Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value. The client response of a retransmitted packet must also include this attribute and the value of this attribute must be the same. For Accounting-Request packets of the start, stop, and interim update types, the Control_Identifier attribute does not take effect.

25 Result_Code Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure.

26 Connect_ID Index of the user connection.

28 Ftp_Directory

FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this attribute is used to set the working directory for an FTP, SFTP, or SCP user on the RADIUS client.

29 Exec_Privilege EXEC user priority.

59 NAS_Startup_Timestamp Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC).

60 Ip_Host_Addr User IP address and MAC address included in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.

61 User_Notify Information that must be sent from the server to the client transparently.

62 User_HeartBeat

Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and verifies the handshake packets from the 802.1X user. This attribute only exists in Access-Accept and Accounting-Request packets.

140 User_Group User groups assigned after the SSL VPN user passes authentication. A user can belong to multiple user groups that are separated by semicolons. This attribute is used to work with the SSL VPN device.

141 Security_Level Security level assigned after the SSL VPN user passes security authentication.

201 Input-Interval-Octets Number of bytes input within a real-time accounting interval.

202 Output-Interval-Octets Number of bytes output within a real-time accounting interval.

203 Input-Interval-Packets Number of packets input within an accounting interval in the unit set on the NAS.

204 Output-Interval-Packets Number of packets output within an accounting interval in the unit set on the NAS.

205 Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes.

18

No. Subattribute Description

206 Output-Interval-Gigawords Amount of bytes output within an accounting interval, in units of 4G bytes.

207 Backup-NAS-IP Backup source IP address for sending RADIUS packets.

255 Product_ID Product name.

Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: MSR1002-4/1003-8S. MSR2003. MSR2004-24/2004-48. MSR3012/3024/3044/3064. MSR954(JH296A/JH297A/JH299A) Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers.

FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

AAA configuration considerations and task list To configure AAA, complete the following tasks on the NAS: 1. Configure the required AAA schemes:

Local authenticationConfigure local users and the related attributes, including the usernames and passwords, for the users to be authenticated.

Remote authenticationConfigure the required RADIUS, HWTACACS, and LDAP schemes.

2. Configure AAA methods for the users' ISP domains. Remote AAA methods need to use the configured RADIUS, HWTACACS, and LDAP schemes.

19

Figure 11 AAA configuration procedure

To configure AAA, perform the following tasks:

Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: Configuring local users Configuring RADIUS schemes Configuring HWTACACS schemes Configuring LDAP schemes

(Required.) Configure AAA methods for ISP domains: 1. (Required.) Creating an ISP domain 2. (Optional.) Configuring ISP domain attributes 3. (Required.) Perform at least one of the following tasks to configure AAA authentication, authorization,

and accounting methods for the ISP domain: Configuring authentication methods for an ISP domain Configuring authorization methods for an ISP domain Configuring accounting methods for an ISP domain

(Optional.) Enabling the session-control feature

(Optional.) Configuring the RADIUS DAE server feature

(Optional.) Changing the DSCP priority for RADIUS packets

(Optional.) Setting the maximum number of concurrent login users

(Optional.) Configuring and applying an ITA policy

(Optional.) Configuring a NAS-ID profile

(Optional.) Configuring the Acct-Session-Id format

Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes.

Configure the RADIUS, HWTACACS, or LDAP schemes to be used

none/ local (the default)/schemeAuthorization method

Accounting method

Configure AAA methods for different types of users or/and the default methods for all types of users

Create an ISP domain and enter ISP domain

view

Authentication method

Configure local users and related attributes

none/ local (the default)/scheme

+

+

Local AAA

Remote AAA

No AAA

none/ local (the default)/scheme

20

Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types: Device management userUser who logs in to the device for device management. Network access userUser who accesses network resources through the device.

The following shows the configurable local user attributes: Service typeServices that the user can use. Local authentication checks the service types of

a local user. If none of the service types is available, the user cannot pass authentication. Service types include ADVPN, FTP, HTTP, HTTPS, IPoE, LAN access, PAD, portal, PPP, SSH, SSL VPN, Telnet, and terminal.

User stateWhether or not a local user can request network services. There are two user states: active and blocked. A user in active state can request network services, but a user in blocked state cannot.

Upper limit of concurrent logins using the same user nameMaximum number of users who can concurrently access the device by using the same user name. When the number reaches the upper limit, no more local users can access the device by using the user name.

User groupEach local user belongs to a local user group and has all attributes of the group. The attributes include the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes."

Binding attributesBinding attributes control the scope of users, and are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP address, access port, MAC address, and native VLAN. For support and usage information about binding attributes, see "Configuring local user attributes."

Authorization attributesAuthorization attributes indicate the user's rights after it passes local authentication. Authorization attributes include the ACL, idle cut function, PPP callback number, user profile, user role, VLAN, FTP/SFTP/SCP working directory, VPN instance, and IP service attributes. The IP service attributes include IPv4 address, IPv6 address, IPv6 address prefix, IPv6 address pool, primary or secondary DNS server address, and redirect URL. For support information about authorization attributes, see "Configuring local user attributes." Configure the authorization attributes based on the service type of local users. For example, you do not need to configure the FTP/SFTP/SCP working directory attribute for a PPP user. You can configure an authorization attribute in user group view or local user view. The setting of an authorization attribute in local user view takes precedence over the attribute setting in user group view.

The attribute configured in user group view takes effect on all local users in the user group. The attribute configured in local user view takes effect only on the local user.

Password control attributesPassword control attributes help control password security for device management users. Password control attributes include password aging time, minimum password length, password composition checking, password complexity checking, and login attempt limit. You can configure a password control attribute in system view, user group view, or local user view. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control."

21

Local user configuration task list

Tasks at a glance (Required.) Configuring local user attributes

(Optional.) Configuring user group attributes

(Optional.) Displaying and maintaining local users and local user groups

Configuring local user attributes When you configure local user attributes, follow these guidelines: When you use the password-control enable command to globally enable the password

control feature, local user passwords are not displayed. You can configure authorization attributes and password control attributes in local user view or

user group view. The setting in local user view takes precedence over the setting in user group view.

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

For PPP users, only the following authorization attributes are effective: callback-number, idle-cut, ip, ipv6, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, url, user-profile, and vpn-instance.

For IPoE users, only the following authorization attributes are effective: idle-cut, ip, ipv6, ipv6-pool, ipv6-prefix, user-profile, and vpn-instance.

For portal users, only the following authorization attributes are effective: acl, idle-cut, ip, ipv6, ipv6-pool, user-profile, and vlan.

For LAN users, only the following authorization attributes are effective: acl, user-profile, and vlan.

For HTTP, HTTPS, Telnet, and terminal users, only the authorization attribute user-role is effective.

For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.

For SSL VPN users, only the authorization attribute sslvpn-policy-group is effective. For other types of local users, no authorization attribute is effective.

To configure local user attributes:

Step Command Remarks 1. Enter system view. system-view N/A

2. Add a local user and enter local user view.

local-user user-name [ class { manage | network } ] By default, no local user exists.

22

Step Command Remarks

3. (Optional.) Configure a password for the local user.

For a network access user: password { cipher | simple } password

For a device management user:

In non-FIPS mode: password [ { hash | simple } password ]

In FIPS mode: password

Network access user passwords are encrypted with the encryption algorithm and saved in ciphertext. Device management user passwords are encrypted with the hash algorithm and saved in ciphertext. In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication.

4. Assign services to the local user.

For a network access user: service-type { advpn | ipoe | lan-access | portal | ppp | sslvpn }

For a device management user:

In non-FIPS mode: service-type { ftp | { http | https | pad | ssh | telnet | terminal } * }

In FIPS mode: service-type { https | pad | ssh | terminal } *

By default, no service is authorized to a local user.

5. (Optional.) Place the local user to the active or blocked state.

state { active | block } By default, a created local user is in active state and can request network services.

6. (Optional.) Set the upper limit of concurrent logins using the local user name.

access-limit max-user-number

By default, the number of concurrent logins is not limited for the local user. This command takes effect only when local accounting is configured for the local user. It does not apply to FTP, SFTP, or SCP users, who do not support accounting.

7. (Optional.) Configure binding attributes for the local user.

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

By default, no binding attribute is configured for a local user. Binding attribute call-number applies only to PPP users. Binding attribute ip applies only to LAN users using 802.1X. Binding attributes location, mac, and vlan apply only to IPoE, LAN, portal, and PPP users.

23

Step Command Remarks

8. (Optional.) Configure authorization attributes for the local user.

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ip ipv4-address | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | sslvpn-policy-group group-name | url url-string | user-profile profile-name | user-role role-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } *

The following default settings apply: FTP, SFTP, and SCP users have

the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.

The network-operator user role is assigned to local users that are created by a network-admin or level-15 user.

9. (Optional.) Configure password control attributes for the local user.

Set the password aging time:password-control aging aging-time

Set the minimum password length: password-control length length

Configure the password composition policy: password-control composition type-number type-number [ type-length type-length ]

Configure the password complexity checking policy: password-control complexity { same-character | user-name } check

Configure the maximum login attempts and the action to take if there is a login failure: password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

By default, the local user uses password control attributes of the user group to which the local user belongs. Only device management users support the password control feature.

10. (Optional.) Assign the local user to a user group.

group group-name By default, a local user belongs to the default user group system.

Configuring user group attributes User groups simplify local user configuration and management. A user group contains a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes.

By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view.

To configure user group attributes:

24

Step Command Remarks 1. Enter system view. system-view N/A

2. Create a user group and enter user group view. user-group group-name

By default, there is a system-defined user group named system, which is the default user group.

3. Configure authorization attributes for the user group.

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | sslvpn-policy-group group-name | url url-string | user-profile profile-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } *

By default, no authorization attribute is configured for a user group.

4. (Optional.) Configure password control attributes for the user group.

Set the password aging time: password-control aging aging-time

Set the minimum password length: password-control length length

Configure the password composition policy: password-control composition type-number type-number [ type-length type-length ]

Configure the password complexity checking policy: password-control complexity { same-character | user-name } check

Configure the maximum login attempts and the action to take for login failures: password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

By default, the user group uses the global password control settings. For more information, see "Configuring password control."

Displaying and maintaining local users and local user groups Execute display commands in any view.

Task Command

Display the local user configuration and online user statistics.

display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { advpn | ftp | http | https | ipoe | lan-access | pad | portal | ppp | ssh | sslvpn | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

Display the user group configuration. display user-group [ group-name ]

25

Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server IP addresses, UDP port numbers, shared keys, and server types.

Configuration task list

Tasks at a glance (Optional.) Configuring a test profile for RADIUS server status detection

(Required.) Creating a RADIUS scheme

(Required.) Specifying the RADIUS authentication servers

(Optional.) Specifying the RADIUS accounting servers and the relevant parameters

(Optional.) Specifying the shared keys for secure RADIUS communication

(Optional.) Specifying a VPN for the scheme

(Optional.) Setting the username format and traffic statistics units

(Optional.) Setting the maximum number of RADIUS request transmission attempts

(Optional.) Setting the status of RADIUS servers

(Optional.) Specifying the source IP address for outgoing RADIUS packets

(Optional.) Setting RADIUS timers

(Optional.) Enabling the accounting-on feature

(Optional.) Enabling the extended accounting-on feature

(Optional.) Configuring the IP addresses of the security policy servers

(Optional.) Interpreting the RADIUS class attribute as CAR parameters

(Optional.) Configuring the Login-Service attribute check method for SSH, FTP, and terminal users

(Optional.) Setting the data measurement unit for the Remanent_Volume attribute

(Optional.) Specifying a HUAWEI attribute version for interpretation of HUAWEI RADIUS attributes 26-1 and 26-4

(Optional.) Enabling SNMP notifications for RADIUS

(Optional.) Displaying and maintaining RADIUS

Configuring a test profile for RADIUS server status detection Use a test profile to detect whether a RADIUS authentication server is reachable at a detection interval. To detect the RADIUS server status, you must configure the RADIUS server to use this test profile in a RADIUS scheme.

With the test profile specified, the device sends a detection packet to the RADIUS server within each detection interval. The detection packet is a simulated authentication request that includes the specified user name in the test profile. If the device receives a response from the server within the interval, it sets the server to the

active state. If the device does not receive any response from the server within the interval, it sets the server

to the blocked state.

The device refreshes the RADIUS server status at each detection interval according to the detection result.

26

The device stops detecting the status of the RADIUS server when one of the following operations is performed: The RADIUS server is removed from the RADIUS scheme. The test profile configur

HPE FlexNetwork MSR Router Series - Apache …h20628. FlexNetwork MSR Router Series Comware 7...

Documents

Transcript of HPE FlexNetwork MSR Router Series - Apache …h20628. FlexNetwork MSR Router Series Comware 7...